Doctors 'risking email privacy breaches'
- 2 June 2012
- From the section Health
As the email whizzes off into the ether, dread strikes. It's gone to the wrong person.
Normally, the worst that can happen is a little embarrassment.
But a medical advice body is warning that while trying to use modern technology to contact patients, doctors are sometimes revealing confidential information.
The Medical Defence Union, which counts more than 50% of UK hospital doctors and GPs as members, says it is being contacted by medics worried about how to put right such data breaches.
In one case a practice sent patients an email reminder for a flu vaccination clinic, but mistakenly pasted the email addresses into the "To" rather than the "Bcc" - blind copies - box.
A patient complained that a friend, who had also received the email, had asked her why she was on the list.
She was being offered the jab because she had cancer - but she had not wanted her friend to know.
Most mix-ups occur when senders inadvertently use the To or Cc boxes instead of Bcc, allowing all recipients to see the names and email addresses of everyone on the list.
The MDU is issuing advice to doctors about how to send out group emails, and what to do if it goes wrong.
Its author, Dr Carol Chu, MDU medico-legal adviser, said the organisation had received a significant number of requests for advice from members.
"These are breaches of confidence. It shows those in the email group that other individuals are part of that practice, and part of that particular group.
"And, while you may not be directly releasing clinical information, it can be possible for people to make assumptions, especially in small communities.
"For example, on a flu jab reminder list, you may be on there because you are immunosuppressed, because you have cancer or HIV - or other reasons you don't want people to know about."
She said practices also used email to contact groups of people with particular conditions, such as diabetes or heart disease.
"If a mistake is made in an email to a group of patients about a particular treatment or service, such as an asthma, immunisation or diabetes clinic, doctors run the risk of a triple breach of confidence - by revealing the patient's email address; that the person is a patient; and that they are likely to have a condition that might benefit from the service being offered."
Dr Chu added: "Electronic communication can bring a wealth of benefits to doctors and to patients, however it is not without risks."
Doctors are at risk of being in breach of both the Data Protection Act 1998 and the Privacy and Electronic Communications regulations 2003 - and the Information Commissioner would have to be informed.
A spokesman for the Information Commissioner's office said GP practices, like hospital trusts and local councils had a responsibility to take care of the data they hold.
He added: "Bcc and group emails are a concern. If we find a breach related to Bcc, and particularly if that's caused damage or distress, we would take enforcement action."
Katherine Murphy, chief executive at the Patients Association, said it had received complaints from patients about their GPs' use of texts or emails.
She added: "Whilst we fully recognise that the NHS needs to embrace technology, we do not want to see patient confidentiality compromised as a result.
"Every GP practice has a duty to ensure that this does not occur."